Third party assessment document

Posted on By Shafiq Alibhai

Download Blank Third Party Assessment

Type            :             Vendor Assessment
Short Name Question / Description Answer / Value
Name Enter the name
TPA: Project Name Whirlpool project name requesting third party or service provider connection *
TPA: Project Owner Whirlpool project owner requesting third party or service provider connection *
TPA: Business Area Whirlpool business area or process supported by the third party or service provider *
TPA: Service Provider Name Service provider company name *
TPA: Service Provider Contact Service provider or third party contact *
TPA: Target Implementation Date Target implementation date *
TPA: CISO Vendor Chief Information Security Officer (CISO) or equivalent *
TPA: User Directory Choose the user directory used to manage security and provisioning of access on your internal network *
TPA: OS and database List the operating system and database used to manage Whirlpool data Select any number *
Mainframe
Unix
AS400
Windows
Oracle
DB2/UDB
MS SQL
Other
TPA: Datacenter location List the location of the datacenter that hosts Whirlpool data *
Short Name Question / Description Answer / Value Comments
WVA: Organizational Security and Privacy 1 Has a complete and current Information Security policy been established? Yes *
WVA: Organizational Security and Privacy 2 Are retention and destruction requirements documented and followed  for different classifications of data? Yes *
WVA: Organizational Security and Privacy 3 Are  documented guidelines  followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls? Yes *
WVA: Organizational Security and Privacy 4 Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers? Yes *
WVA: Organizational Security and Privacy 5 Are documented policies followed for enforcing segregation of duties? Yes *
What types of audits are performed? 2
WVA: Organizational Security and Privacy 6 Are audits performed to ensure compliance of systems with organizational security policies and standards? Yes, external audits are performed on a periodic basis. * SAS-70 , SOX Audit
WVA: Organizational Security and Privacy 7 How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement? Semi-annually *
WVA: Employment Security 1 Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment? Yes *
WVA: Employment Security 2 Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants? Yes for all applicants and is required by contract by any third party vendors *
WVA: Employment Security 3 Are documented guidelines followed for providing security awareness training (SAT) to all personnel? Yes, training is required at least annually *
WVA: Business Continuity 1 Are controls in place  to ensure that back-ups of business information are completed on a regular basis? Yes, full back-ups are performed weekly *
WVA: Business Continuity 2 Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location? Yes, back-up are retained off-site at a distance greater than 15 miles *
WVA: Business Continuity 3 Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site? Yes, controls are in place are greater than the main site *
WVA: Physical Security 1 Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only? Yes, documented approval required with physical access controlled by an electronic card key *
WVA: Physical Security 2 Are documented guidelines followed for granting access to visitors? Yes, sign in and data center manager approval required *
When are the audits performed? 2
WVA: Physical Security 3 How often are reviews of access rights to secure areas are conducted? Access rights  are reviewed semi-annually * After Every 6 month(dec and july)
WVA: Physical Security 4 Are controls in place to address the possibility of damage from fire in secure areas? Yes, fire detection in place  with automated fire suppression system in place *
WVA: Physical Security 5 Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures? Yes, equipment protected by UPS and generator back-up *
WVA: Software Development 1 Are documented guidelines followed to separate development, test and production (operational) environments? Yes *
WVA: Software Development 2 Are all security requirements identified and justified during the requirements phase of projects? Yes *
WVA: Software Development 3 Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes? Yes *
WVA: Software Development 4 Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production N/A *
WVA: Software Development 5 Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications? Yes, all three types of testing are deployed at every release *
WVA: Software Development 6 Have controls been established to protect the storing of confidential data on local devices ? Yes, local encryption required *
WVA: Security Operations 1 How often are security logs reviewed? Security logs  contain user ID, failed log-ins, and other security events and are reviewed weekly *
WVA: Security Operations 2 Are documented guidelines followed to ensure access controls of mobile devices  (Laptops, PDA’s Etc.) ? Yes, encryption required *
WVA: Security Operations 3 Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service? Yes *
WVA: Security Operations 4 Are cryptographic systems and techniques used for storage of information that is considered confidential? Yes, for all confidential data *
WVA: Security Operations 5 Have controls been established to ensure the handling of compromised keys? Yes, compromised key is revoked *
WVA: Security Operations 6 How often are security or vulnerability patches applied? Patches are applied more frequently than monthly *
WVA: Security Operations 7 Have controls been established to ensure installation and regular update of anti-virus  software to protect computers on a precautionary or routine basis? Yes, virus definitions are updated daily *
WVA: Security Operations 8 Do the media handling procedures ensure the safe and secure storage of media containing confidential information? Yes *
WVA: Security Operations 9 Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information? Yes, media is disposed in a way that renders the data irretrievable *
WVA: Security Operations 10 Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information? Yes, media is disposed in a way that renders the document irretrievable *
WVA: Security Operations 11 Is access to the modify job schedules limited to authorized personnel? Yes *
WVA: Security Operations 12 Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)? Yes, PGP or other enhanced encryption *
WVA: Security Operations 13 Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)? Yes, secure package handling controls *
WVA: Security Operations 14 Are the domains with different security needs separated by secure gateways? Yes, DMZ’s exist for internal and external network *
WVA: Security Operations 15 Are documented guidelines followed for the secure exchange of confidential information to prevent  the unauthorized disclosure and misuse? Yes, documented and encryption is always required *
WVA: Security Operations 16 Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks? Yes, WEP encryption *
WVA: Security Operations 17 Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations? Yes, SSL/TLS is required *
WVA: Password Controls 1 Does the authentication method to gain access to the network utilize passwords? Passwords are used *
WVA: Password Controls 2 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Password Controls 3 How often are end-users forced to change their passwords? Quarterly *
WVA: Password Controls 4 What are the minimum password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Password Controls 5 Are end-users restricted from using previous passwords (password history)? No password re-use restrictions *
WVA: Password Controls 6 Are users forced to change their password during first login? Users are forced to change passwords on first login *
WVA: Password Controls 7 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Password Controls 8 Is a complete & current mechanism in place to report & reset lost or compromised passwords? Secure self service password reset mechanism *
WVA: Infrastructure Access 1 When authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Infrastructure Access 2 Are authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Infrastructure Access 3 Are accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Infrastructure Access 4 How long before the system automatically re-enables the account after an account lock out? Auto unlock after 30 minutes or more *
WVA: Infrastructure Access 5 How often are accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Infrastructure Access 6 Have control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Infrastructure Access 7 How often is a review of  accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Infrastructure Access 8 Are controls in place to ensure all user activities on IT systems are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Infrastructure Access 9 Are access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Infrastructure Access 10 Is a documented termination procedure followed which includes the removal of access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
WVA: Application Password Controls 1 Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure? Yes *
WVA: Application Password Controls 2 Does the authentication method to gain access to the application utilize passwords? Passwords are used *
WVA: Application Password Controls 3 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Application Password Controls 4 How often are end-users forced to change their passwords for the application? Quarterly *
WVA: Application Password Controls 5 What are the minimum application password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Application Password Controls 6 Are end-users restricted from using previous application passwords (password history)? No password re-use restrictions *
WVA: Application Password Controls 7 Are users forced to change their application password during first login? Users are forced to change passwords on first login *
WVA: Application Password Controls 8 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Application Password Controls 9 Is a complete & current mechanism in place to report & reset lost or compromised application passwords? Secure self service password reset mechanism *
WVA: Application Access Controls 1 When the application authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Application Access Controls 2 Are application authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Application Access Controls 3 Are application accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Application Access Controls 4 How long before the system automatically re-enables the application account after an account lock out? No auto unlock, manual administrator unlock only *
WVA: Application Access Controls 5 How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Application Access Controls 6 Have application control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Application Access Controls 7 How often is a review of  application accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Application Access Controls 8 Are controls in place to ensure all user activities in the application  are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Application Access Controls 9 Are application access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Application Access Controls 10 Is a documented termination procedure followed which includes the removal of application access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
WVA: Vendor Portal Access and Password Control 1 Do you provide access to a web based portal? Yes *
Does is conform with Infrastructure or Application password controls? 2
WVA: Vendor Portal Access and Password Control 2 Does the web portal access and password controls conform to either the infrastructure or application password and access controls? Yes * Yes
WVA: Vendor Portal Access and Password Control 3 Does the authentication method to gain access to the  portal utilize passwords? Passwords are used *
WVA: Vendor Portal Access and Password Control 4 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Vendor Portal Access and Password Control 5 How often are end-users forced to change their passwords for the portal ? Quarterly *
WVA: Vendor Portal Access and Password Control 6 What are the minimum portal password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Vendor Portal Access and Password Control 7 Are end-users restricted from using previous portal passwords (password history)? No password re-use restrictions *
WVA: Vendor Portal Access and Password Control 8 Are users forced to change their portal password during first login? Users are forced to change passwords on first login *
WVA: Vendor Portal Access and Password Control 9 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Vendor Portal Access and Password Control 10 Is a complete & current mechanism in place to report & reset lost or compromised portal passwords? Secure self service password reset mechanism *
WVA: Vendor Portal Access and Password Control 11 When the portal authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Vendor Portal Access and Password Control 12 Are portal authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Vendor Portal Access and Password Control 13 Are portal accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Vendor Portal Access and Password Control 14 How long before the system automatically re-enables the portal account after an account lock out? Auto unlock after 30 minutes or more *
WVA: Vendor Portal Access and Password Control 15 How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Vendor Portal Access and Password Control 16 Have portal control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Vendor Portal Access and Password Control 17 How often is a review of  portal accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Vendor Portal Access and Password Control 18 Are controls in place to ensure all user activities in the portal are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Vendor Portal Access and Password Control 19 Are portal access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Vendor Portal Access and Password Control 20 Is a documented termination procedure followed which includes the removal of portal access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
Short Name Question / Description Answer / Value
Vendor Access to Whirlpool Data Types What type of Whirlpool data does the vendor have access to? Select at least 1 *
Employee Compensation
Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])
Employee Health Information
Employee Criminal Information
Employee Contact Information
Employee Benefits Information
Employee Performance/Talent Ratings
Employee Emergency Contact Information
Employee Demographic Information
Credit Card Information
X Consumer Contact Information
Customer Service Center Call History
Prospective Customer Information
Consumer Demographic Information
Pre-release Financial Information
Business Development Information
Board and Executive Committee Materials
Restructuring Information
Corporate Strategy
Regional Trade Sensitive Information
Aggregate Corporate Forecast and Planning Information
Historical Earnings Information
Capital Plan and Spend Information
Treasury Information
Tax Information
Internal Audit Information
Supply Chain Cost Information
IS Security Incident Information
IS Vulnerability Information
Application Code and Documentation
System Performance Information
Detailed System Information
Vendor Access to Whirlpool Data What type of access does the vendor have to Whirlpool data? Select at least 1 *
X Systemic
Adhoc or Limited
Read Only Access
Whirlpool Corporation                                                                                                  Page 1 of 1                                                                                                                                        Confidential
No, back-up copies are stored onsite
Yes, DMZ’s exist for internal and external network
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis